Computer Security 3e. Dieter Gollmann. Chapter 5: 1
|
|
- Charlotte Alexander
- 5 years ago
- Views:
Transcription
1 Computer Security 3e Dieter Gollmann Chapter 5: 1
2 Chapter 5: Access Control Chapter 5: 2
3 Introduction Access control: who is allowed to do what? Traditionally, who is a person. Traditionally, what consists of an operation (read, write, execute, ) performed on a resource (file, directory, network port, ) The type of access control found in Unix, Windows. Today, access control is a more general task. Java sandbox: who is code running on a machine. Chapter 5: 3
4 Agenda Fundamental terminology Principals & subjects, access operations Authentication & authorisation Policies Capabilities & access control list Discretionary & mandatory access control Role Based Access Control Policy instantiation Structuring policies Partial orderings & lattices Chapter 5: 4
5 Security Policies Access control enforces operational security policies. A policy specifies who is allowed to do what. The active entity requesting access to a resource is called principal. The resource access is requested for is called object. Reference monitor is the abstract machine enforcing access control; guard mediating all access requests. Traditionally, policies refer to the requestor s identity and decisions are binary (yes/no). Chapter 5: 5
6 Authentication & Authorisation authentication s authorisation o ACL principal access request reference monitor object B. Lampson, M. Abadi, M. Burrows, E. Wobber: Authentication in Distributed Systems: Theory and Practice, ACM Transactions on Computer Systems, 10(4), pages , 1992 Chapter 5: 6
7 Authentication & Authorisation Authentication: reference monitor verifies the identity of the principal making the request. A user identity is one example for a principal. Authorisation: reference monitor decides whether access is granted or denied. Reference monitor has to find and evaluate the security policy relevant for the given request. Easy in centralized systems. In distributed systems, how to find all relevant policies? how to make decisions if policies may be missing? Chapter 5: 7
8 Authentication User enters username and password. If the values entered are correct, the user is authenticated. We could say: The machine now runs on behalf of the user. This might be intuitive, but it is imprecise. Log on creates a process that runs with access rights assigned to the user. Typically, the process runs under the user identity of the user who has logged on. Chapter 5: 8
9 Users & User Identities Requests to reference monitor do not come directly from a user or a user identity, but from a process. In the language of access control, the process speaks for the user (identity). The active entity making a request within the system is called the subject. You must distinguish between three concepts: User: person; User identity (principal): name used in the system, possibly associated with a user; Process (subject) running under a given user identity. Chapter 5: 9
10 Principals & Subjects Terminology (widely but not universally adopted): Policy: A principal is an entity that can be granted access to objects or can make statements affecting access control decisions. Example: user ID System: Subjects operate on behalf of (human users we call) principals; access is based on the principal s name bound to the subject in some unforgeable manner at authentication time. Example: process (running under a user ID) M. Gasser et al.: The Digital Distributed System Security Architecture Chapter 5: 10
11 Principals & Subjects Principal and subject are both used to denote the entity making an access request. The term principal is used in different meanings, which can cause much confusion. M. Gasser (1990): Because access control structures identify principals, it is important that principal names be globally unique, human-readable and memorable, easily and reliably associated with known people. We will examine later whether this advice is still valid. Chapter 5: 11
12 Basic Terminology Recap Subject/Principal: Active entity user or process. Object: Passive entity file or resource. Access operations: Vary from basic memory access (read, write) to method calls in object-oriented systems. Comparable systems may use different access operations or attach different meanings to operations which appear to be the same. Chapter 5: 12
13 Access Operations Access right: right to perform an (access) operation; we will use the terms interchangeably. Permission: typically a synonym for access right. Privilege: typically a set of access rights given directly to roles like administrator, operator,... These terms may have specific meanings in individual systems. Chapter 5: 13
14 Access Operations On the most elementary level, a subject may observe an object, or alter an object. Some fundamental policies can be expressed with these basic access modes. For practical purposes a richer set of operations is more convenient. We will give examples for richer sets of access operations; note how certain terms are used with different meanings. Chapter 5: 14
15 Elementary Access Operations Bell-LaPadula model (see chapter 11) has four access rights: execute read append, also called blind write write Mapping between access rights and access modes: observe alter execute append X read X write X X Chapter 5: 15
16 Rationale In a multi-user O/S, users open files to get access; files are opened for read or for write access so that the O/S can avoid conflicts like two users simultaneously writing to the same file. Write access usually includes read access; a user editing a file should not be asked to open it twice; Hence, write includes observe and alter mode. Few systems implement append; allowing users to alter an object without observing its content is rarely useful (exception: audit log). A file can be used without being opened (read); example: use of a cryptographic key; this can be expressed by an execute right that includes neither observe nor alter mode. Chapter 5: 16
17 Access Rights (Unix/Linux) Three access operations on files: read: from a file write: to a file execute: a file Access operations on directories: read: list contents write: create or rename files in the directory execute: search directory Deleting files/subdirectories handled by access operations in the directory. Chapter 5: 17
18 Administrative Access Rights Policies for creating and deleting files expressed by access control on the directory (Unix). specific create and delete rights (Windows, OpenVMS). Policies for defining security settings such as access rights handled by: access control on the directory specific rights like grant and revoke Rights in CORBA: get, set, use, manage Chapter 5: 18
19 Access Control Structures Chapter 5: 19
20 Policy Focus Principals & objects provide a different focus of control: What is the principal allowed to do? What may be done with an object? Traditionally operating systems provide an infrastructure managing files and resources, i.e. objects; access control takes the second approach. Application oriented IT systems, like database management systems, provide services to the user and often control actions of principals. Note: some sources use authorisation to denote the process of setting policies. Chapter 5: 20
21 Access Control Structures Policy is stored in an access control structure. Access control structure should help to capture your desired access control policy. You should be able to check that your policy has been captured correctly. Access rights can be defined individually for each combination of subject and object. For large numbers of subjects and objects, such structures are cumbersome to manage; intermediate levels of control are preferable. Chapter 5: 21
22 Access Control Matrix At runtime, we could specify for each combination of subject and object the operations that are permitted. S set of subjects O set of objects A set of access operations Access control matrix: M = (M so ) s S,o O Matrix entry M so A specifies the operations subject s may perform on object o. You can visualize the matrix as a (big) table. [B. Lampson: Protection, ACM OS Reviews,1974] Chapter 5: 22
23 Access Control Matrix Access control matrix has a row for each subject and a column for each object. bill.doc edit.exe fun.com Alice - {exec} {exec,read} Bob {read,write} {exec} {exec,read,write} Access control matrix is an abstract concept, not very suitable for direct implementation, not very convenient for managing security. How do you answer the question: Has your security policy been implemented correctly? Chapter 5: 23
24 Capabilities Focus on the subject access rights stored with the subject capabilities rows of the access control matrix Alice edit.exe: {exec} fun.com: {exec,read} Subjects may grant rights to other subjects; subjects may grant the right to grant rights. How to check who may access a specific object? How to revoke a capability? Distributed system security has created renewed interest in capabilities. Chapter 5: 24
25 Access Control Lists (ACLs) Focus on the object access rights of principals stored with the object ACLs columns of the access control matrix fun.com Alice: {exec} Bill: {exec,read,write} How to check access rights of a specific subject? ACLs implemented in most commercial operating systems but their actual use is limited. Chapter 5: 25
26 Who Sets the Policy? Security policies specify how principals are given access to objects. Responsibility for setting policy could be assigned to the owner of a resource, who may decree who is allowed access; such policies are called discretionary as access control is at the owner s discretion. a system wide policy decreeing who is allowed access; such policies are called mandatory. Warning: other interpretations of discretionary and mandatory access control exist. Chapter 5: 26
27 DAC & MAC Access control based on policies that refer to user identities was historically (since the 1970s) called discretionary access control (DAC). Referring to individual users in a policy works best within closed organisations. Access control based on policies that refer to security labels (confidential, top secret, ) was historically called mandatory access control (MAC). DAC and MAC have survived in computer security text books, but not very much in the wild. Chapter 5: 27
28 Intermediate Levels In computer science, problems of complexity are solved by adding another level of indirection. [David Wheeler] We apply this principle and introduce intermediate layers between users and objects to represent policies in a more manageable fashion. Chapter 5: 28
29 IBAC & Groups We might use identity based access control (IBAC) instead of DAC. IBAC does not scale well and will incur an identity management overhead. Alice and Bob are students in a large class; teacher wants to give students access to some documents. Putting all names into several ACLs is tedious so the teacher defines a group, declares the students to be members of group, and puts group into the ACLs. Access rights are often defined for groups: Unix: owner, group, others Chapter 5: 29
30 Groups & Negative Permissions Groups: intermediate layer between users and objects. users groups objects To handle exceptions, negative permissions withdraw rights users groups objects Chapter 5: 30
31 Roles Alternatively, in our example we could have created a role student. Definition: A role is a collection of procedures assigned to users; a user can have more than one role and more than one user can have the same role. Teacher creates a procedure for reading course material, assigns this procedure to the role student. A role course tutor could be assigned a procedure for updating documents. Chapter 5: 31
32 RBAC Role Based Access Control Procedures: High level access operations with a more complex semantic than read or write; procedures can only be applied to objects of certain data types. Example: Funds transfer between bank accounts. Roles are a good match for typical access control requirements in business. RBAC typical found at the application level. Difference between groups and roles?? Chapter 5: 32
33 More on RBAC Role hierarchies define relationships between roles; senior role has all access rights of the junior role. Do not confuse the role hierarchy with the hierarchy of positions (superior subordinate) in an organisation. These two hierarchies need not correspond. Separation of duties is an important security principle; numerous flavours of static and dynamic separation of duties policies exist. Example: a manager is given the right to assign access rights to subordinates, but not the right to exercise those access rights. Chapter 5: 33
34 NIST: RBAC Levels Flat RBAC: users are assigned to roles, permissions are assigned to roles, users get permissions via role membership; support for user-role reviews. Hierarchical RBAC: adds support for role hierarchies. Constrained RBAC: adds separation of duties. Symmetric RBAC: support for permission-role reviews (can be difficult to provide in large distributed systems). Chapter 5: 34
35 Role Based Access Control Standard: American National Standards Institute: Role Based Access Control, ANSI-INCITS However, The term RBAC itself does not have a generally accepted meaning, and it is used in different ways by different vendors and users. [R. Sandhu, D. Ferraiolo, and R. Kuhn: The NIST Model for Role-Based Access Control: Towards a Unified Standard, Proceedings of the 5th ACM Workshop on Role-Based Access Control, Berlin, Germany, July 26-27, 2000 Chapter 5: 35
36 Lesson: Intermediate Controls Intermediate controls for better security management; to deal with complexity, introduce more levels of indirection. users roles procedures data types objects Chapter 5: 36
37 Protection Rings Protection rings are mainly used for integrity protection. Chapter 5: 37
38 Protection Rings Each subject (process) and each object is assigned a number, depending on its importance, e.g. 0 operating system kernel 1 operating system 2 utilities 3 user processes Numbers correspond to concentric protection rings, ring 0 in centre gives highest degree of protection. If a process is assigned number i, we say the process runs in ring i. Access control decisions are made by comparing the subject s and object s ring. Chapter 5: 38
39 Policy Instantiation When developing software you will hardly know who will eventually make use of it. At this stage, security policies cannot refer to specific user identities. A customer deploying the software may know its authorized users and can instantiate a generic policy with their respective user identities. Generic policies will refer to placeholder principals like owner, group, others (world, everyone). Reference monitor resolves values of placeholders to user identities when processing an actual request. Chapter 5: 39
40 Structuring Policies Chapter 5: 40
41 Structuring Access Control Some resources in an academic department can be accessed by all students, other resources only by students in a particular year. Department creates groups like All-Students and Y1-Students. The two groups are related, Y1-Students is a subgroup of All-Students; if All-Students has access to a resource, so has Y1-Students. No such direct relationship between Y1-Students and Y2-Students. Chapter 5: 41
42 Partial Orderings We now can use comparisons in security policies: Is the user s group a subgroup of the group permitted to access this resource? Some groups are related but others are not (e.g. Y1-Students and Y2-Students). Relationships are transitive: CS101-Students Y1-Students All-Students In mathematical terms, we are dealing with a partial ordering. Chapter 5: 42
43 Mathematical Definition A partial ordering ( less or equal ) on a set L is relation on L L that is reflexive: for all a L, a a transitive: for all a,b,c L, if a b and b c, then a c antisymmetric: for all a,b L, if a b and b a, then a=b If a b, we say b dominates a or a is dominated by b. Chapter 5: 43
44 Examples Integers with the relation divides by : We can order 3 and 6 (3 divides 6); we cannot order 4 and 6. Integers with the relation ( less or equal ): We can order any two elements (total ordering). Strings with the prefix relation: We can order AA and AABC (AA is a prefix of AABC) but not AA and AB. Power set P(C) with subset relation : We can order {a,b} and {a,b,c} ({a,b} {a,b,c}) but not {a,b} and {a,c}. Chapter 5: 44
45 Example: VSTa Microkernel Groups in Unix are defined by their group ID and are not ordered. VSTa uses (cap)abilities to support hierarchies: VSTa (cap)ability is a list of integers.i 1.i 2..i n, e.g..1,.1.2,.1.2.3,.4, Abilities are ordered by the prefix relation: a 2 is a prefix of a 1 (written as a 2 a 1 ) if there exists a 3 so that a 1 = a 2 a 3. The empty string ε is the prefix of any ability. For example: but not.1.4! Chapter 5: 45
46 Abilities and our Example Assign abilities to groups: All-students:.3 Y1-Students:.3.1 CS101-Students: CS105-Students Label objects with appropriate abilities Policy: access is given if the object s label is a prefix of the subject s label; CS101-Students have access to objects labelled or.3.1 or.3 but not to objects labelled Chapter 5: 46
47 Null Values Consider the dual of the previous policy: access is granted if the subject s ability is a prefix of the ability of the object. A subject without an ability has access to every object. Frequent problem: when an access control parameter is missing the policy is not evaluated and access is granted. NULL DACL problem in Windows: Nobody has access to a file with an empty ACL but everyone has access to a file with no ACL. Chapter 5: 47
48 Towards Lattices In our example, how should we label objects that may be accessed both by CS101-Students and CS105- Students? Answer:?? How should we label a subject that may access resources earmarked for CS101-Students and resources earmarked forcs105-students? Answer:?? To answer both questions, we need more structure than just partial orderings. Chapter 5: 48
49 Towards Lattices The slide on lattices to remember Assume that a subject may observe an object only if the subject s label is higher than the object s label. We can ask two questions: Given two objects with different labels, what is the minimal label a subject must have to be allowed to observe both objects? Given two subjects with different labels, what is the maximal label an object can have so that it still can be observed by both subjects? A lattice is a mathematical structure where both questions have unique best answers. Chapter 5: 49
50 Lattice (L, ) The slide on lattices you must not memorize A lattice (L, ) is a set L with a partial ordering so that for every two elements a,b L there exists a least upper bound u L: a u, b u, and for all v L: (a v b v) u v. a greatest lower bound l L: l a, l b, and for all k L: (k a k b) k l. Lattices come naturally whenever one deals with hierarchical security attributes. Chapter 5: 50
51 System Low & System High A label that is dominated by all other labels is called System Low. A label that dominates all other labels is called System High. System Low and System High need not exist; if they exist, they are unique. When L is a finite set, the elements System Low and System High exist. Chapter 5: 51
52 Lattices - Example 1 The natural numbers with the ordering relation divides by form a lattice: The l.u.b. of a,b is their least common multiple. The g.l.b. of a,b is their greatest common divisor. There exists an element System Low: the number 1. There is no element System High. Chapter 5: 52
53 Lattices - Example 2 The integers with the ordering form a lattice: The l.u.b. of a,b is the maximum of a and b. The g.l.b. of a,b is the minimum of a and b. Elements System Low and System High do not exist. The integers with the ordering are a total ordering. Chapter 5: 53
54 Lattices - Example 3 (P({a,b,c}), ), i.e. the power set of {a,b,c}, with the subset relation as partial ordering: least upper bound: union of two sets. greatest lower bound: intersection of two sets. {a,b,c} {a,b} {a,c} {b,c} {a} {b} {c} {} Lines indicate the subset relation. Chapter 5: 54
55 Summary Security terminology is ambiguous. Policies expressed in terms of principals and objects. In identity-based access control, users are principals. Deployed in practice: RBAC, ACLs to a minor extent. More sophisticated policies draw you into mathematics. We have covered classical access control; we return to current trends later. Distinguish between access control as a security service and its various implementations. Chapter 5: 55
Access Control (slides based Ch. 4 Gollmann)
Access Control (slides based Ch. 4 Gollmann) Preliminary Remarks Computer systems and their use have changed over the last three decades. Traditional multi-user systems provide generic services to their
More informationAccess Control Part 1 CCM 4350
Access Control Part 1 CCM 4350 Overview of Access Control Lectures Three Lectures on Access Control following D. Gollmann. Computer Security. Wiley: Chapter 4. Part 1: Authorisation and Access Operation
More informationAccess Control Part 3 CCM 4350
Access Control Part 3 CCM 4350 Today s Lecture Repetition of Structuring Access Control Fresh up notions of Partial Orders Again Example of Groups ordering for VSTa- Microkernel abilities as Motivation
More informationComputer Security. Access control. 5 October 2017
Computer Security Access control 5 October 2017 Policy and mechanism A security policy is a statement of what is, and what is not, allowed. A security mechanism is a method, tool or procedure for enforcing
More informationCCM Lecture 12. Security Model 1: Bell-LaPadula Model
CCM 4350 Lecture 12 Security Model 1: Bell-LaPadula Model Why Security Models? When we have implemented a security policy, do we know that it will (and can) be enforced? E.g., if policies get too intricate,
More informationLast time. User Authentication. Security Policies and Models. Beyond passwords Biometrics
Last time User Authentication Beyond passwords Biometrics Security Policies and Models Trusted Operating Systems and Software Military and Commercial Security Policies 9-1 This time Security Policies and
More informationAccess Control. Discretionary Access Control
Access Control Discretionary Access Control 1 Outlines Access Control Discretionary Access Control (DAC) Mandatory Access Control (MAC) Role-Based Access Control (RBAC) 2 Access Control Access control
More informationModule 4: Access Control
Module 4: Access Control Dr. Natarajan Meghanathan Associate Professor of Computer Science Jackson State University, Jackson, MS 39232 E-mail: natarajan.meghanathan@jsums.edu Access Control In general,
More informationAccess control models and policies. Tuomas Aura T Information security technology
Access control models and policies Tuomas Aura T-110.4206 Information security technology 1. Access control 2. Discretionary AC 3. Mandatory AC 4. Other AC models Outline 2 ACCESS CONTROL 3 Access control
More informationAccess Control Models
Access Control Models Dr. Natarajan Meghanathan Associate Professor of Computer Science Jackson State University E-mail: natarajan.meghanathan@jsums.edu Access Control Models Access Control to regulate
More informationAccess Control Mechanisms
Access Control Mechanisms Week 11 P&P: Ch 4.5, 5.2, 5.3 CNT-4403: 26.March.2015 1 In this lecture Access matrix model Access control lists versus Capabilities Role Based Access Control File Protection
More informationAccess Control Models Part II
Access Control Models Part II CERIAS and CS &ECE Departments Pag. 1 Introduction Other models: The Chinese Wall Model it combines elements of DAC and MAC RBAC Model it is a DAC model; however, it is sometimes
More informationCS 356 Lecture 7 Access Control. Spring 2013
CS 356 Lecture 7 Access Control Spring 2013 Review Chapter 1: Basic Concepts and Terminology Integrity, Confidentiality, Availability, Authentication, and Accountability Types of threats: active vs. passive,
More informationAccess control models and policies
Access control models and policies Tuomas Aura T-110.4206 Information security technology Aalto University, autumn 2013 1. Access control 2. Discretionary AC 3. Mandatory AC 4. Other AC models Outline
More informationA Survey of Access Control Policies. Amanda Crowell
A Survey of Access Control Policies Amanda Crowell What is Access Control? Policies and mechanisms that determine how data and resources can be accessed on a system. The Players Subjects Objects Semi-objects
More informationDiscretionary Vs. Mandatory
Discretionary Vs. Mandatory Discretionary access controls (DAC) Privilege propagated from one subject to another Possession of an access right is sufficient to access the object Mandatory access controls
More informationCPSC 481/681 SPRING 2006 QUIZ #1 7 MAR 2006 NAME:
CPSC 481/681 SPRING 2006 QUIZ #1 7 MAR 2006 NAME: There are 6 questions on this quiz. Each question is individually weighted. If you do not understand the question, please ask for clarification. 1 I. (24
More informationAccess control models and policies
Access control models and policies Tuomas Aura T-110.4206 Information security technology Aalto University, autumn 2011 1. Access control 2. Discretionary AC 3. Mandatory AC 4. Other AC models Outline
More informationAccess Control. Discretionary Access Control
Access Control Discretionary Access Control 1 Access Control Access control is where security engineering meets computer science. Its function is to control which (active) subject have access to a which
More informationCore Role Based Access Control (RBAC) mechanism for MySQL
Core Role Based Access Control (RBAC) mechanism for MySQL by Ian Molloy Radu Dondera Umang Sharan CS541 Project Report Under the Guidance of Prof. Elisa Bertino With the Department of Computer Science
More informationSecurity Models Trusted Zones SPRING 2018: GANG WANG
Security Models Trusted Zones SPRING 2018: GANG WANG Access Control Slides credit to Ethan L. Miller and Scott A. Brandt Protection Domains Three protection domains Each lists objects with permitted operations
More informationDiscretionary Access Control (DAC)
CS 5323 Discretionary Access Control (DAC) Prof. Ravi Sandhu Executive Director and Endowed Chair Lecture 7 ravi.utsa@gmail.com www.profsandhu.com Ravi Sandhu 1 Authentication, Authorization, Audit AAA
More informationCSE509: (Intro to) Systems Security
CSE509: (Intro to) Systems Security Fall 2012 Radu Sion Integrity Policies Hybrid Policies 2005-12 parts by Matt Bishop, used with permission Integrity Policies: Overview Requirements Very different than
More informationChapter 7: Hybrid Policies
Chapter 7: Hybrid Policies Overview Chinese Wall Model Clinical Information Systems Security Policy ORCON RBAC Slide #7-1 Overview Chinese Wall Model Focuses on conflict of interest CISS Policy Combines
More informationP1L5 Access Control. Controlling Accesses to Resources
P1L5 Access Control Controlling Accesses to Resources TCB sees a request for a resource, how does it decide whether it should be granted? Authentication establishes the source of a request Authorization
More informationLecture 4: Bell LaPadula
CS 591: Introduction to Computer Security Lecture 4: Bell LaPadula James Hook Objectives Introduce the Bell LaPadula framework for confidentiality policy Discuss realizations of Bell LaPadula References:
More informationUnix, History
Operating systems Examples from Unix, VMS, Windows NT on user authentication, memory protection and file and object protection. Trusted Operating Systems, example from PitBull Unix, History Unix, History
More informationChapter 6: Integrity Policies
Chapter 6: Integrity Policies Overview Requirements Biba s models Clark-Wilson model Slide #6-1 Overview Requirements Very different than confidentiality policies Biba s model Clark-Wilson model Slide
More informationAccess control. Frank Piessens KATHOLIEKE UNIVERSITEIT LEUVEN
Access control Frank Piessens (Frank.Piessens@cs.kuleuven.be) Secappdev 2010 1 Overview Introduction: Lampson s model for access control Classical Access Control Models Discretionary Access Control (DAC)
More informationAccess Control. Access Control: enacting a security policy. COMP 435 Fall 2017 Prof. Cynthia Sturton. Access Control: enacting a security policy
Access Control: enacting a security policy Access Control COMP 435 Fall 2017 Prof. Cynthia Sturton Which users can access which resources and with which rights 2 Access Control: enacting a security policy
More informationComplex Access Control. Steven M. Bellovin September 10,
Complex Access Control Steven M. Bellovin September 10, 2013 1 Access Control Matrix List all proceses and files in a matrix Each row is a process ( subject ) Each column is a file ( object ) Each matrix
More informationCSN11111 Network Security
CSN11111 Network Security Access Control r.ludwiniak@napier.ac.uk Learning Objectives Access Control definition Models Information access control Network based access control AAA Radius Tacacs+ ACCESS
More informationMay 1: Integrity Models
May 1: Integrity Models Biba Clark-Wilson Comparison Trust models May 1, 2017 ECS 235B Spring Quarter 2017 Slide #1 Integrity Overview Requirements Very different than confidentiality policies Biba s models
More informationCIS 5373 Systems Security
CIS 5373 Systems Security Topic 3.2: OS Security Access Control Endadul Hoque Slide Acknowledgment Contents are based on slides from Ninghui Li (Purdue), John Mitchell (Stanford), Bogdan Carbunar (FIU)
More information1. Represent each of these relations on {1, 2, 3} with a matrix (with the elements of this set listed in increasing order).
Exercises Exercises 1. Represent each of these relations on {1, 2, 3} with a matrix (with the elements of this set listed in increasing order). a) {(1, 1), (1, 2), (1, 3)} b) {(1, 2), (2, 1), (2, 2), (3,
More informationSecure Architecture Principles
CS 155 Spring 2016 Secure Architecture Principles Isolation and Least Privilege Access Control Concepts Operating Systems Browser Isolation and Least Privilege Acknowledgments: Lecture slides are from
More informationWeek 10 Part A MIS 5214
Week 10 Part A MIS 5214 Agenda Project Authentication Biometrics Access Control Models (DAC Part A) Access Control Techniques Centralized Remote Access Control Technologies Project assignment You and your
More informationOverview. Evolution of Access Control in Commercial Products. Access Control is Different from other Mechanisms. Security Policies
Overview Evolution of Access Control in Commercial Products Policies, Models and Techniques David Ferraiolo National Institute of Standards and Technology 301-975-3046 dferraiolo@nist.gov Practical View
More informationPolicy, Models, and Trust
Policy, Models, and Trust 1 Security Policy A security policy is a well-defined set of rules that include the following: Subjects: the agents who interact with the system, Objects:the informational and
More informationLampson, Abadi, Burrows and Wobber. Authentication: Theory and Practice, Taos OS ACM TOCS 1992, 1994
Lampson, Abadi, Burrows and Wobber Authentication: Theory and Practice, Taos OS ACM TOCS 1992, 1994 Logic (1) 1. K says S ( A and B ) says S ( A says S ) and ( B says S ) if A = B, then ( A says S ) (
More informationInformation Security Theory vs. Reality
Information Security Theory vs. Reality 0368-4474-01, Winter 2011 Lecture 4: Access Control Eran Tromer 1 Slides credit: John Mitchell, Stanford course CS155, 2010 Access control Assumptions System knows
More informationFormal methods and access control. Dr. Hale University of Nebraska at Omaha Information Security and Policy Lecture 8
Formal methods and access control Dr. Hale University of Nebraska at Omaha Information Security and Policy Lecture 8 Today s topics: Access control basics Model Matrix and protection states Access control
More informationChapter 9: Database Security: An Introduction. Nguyen Thi Ai Thao
Chapter 9: Database Security: An Introduction Nguyen Thi Ai Thao thaonguyen@cse.hcmut.edu.vn Spring- 2016 Outline Introduction to Database Security Issues Types of Security Threats to databases Database
More informationWe ve seen: Protection: ACLs, Capabilities, and More. Access control. Principle of Least Privilege. ? Resource. What makes it hard?
We ve seen: Protection: ACLs, Capabilities, and More Some cryptographic techniques Encryption, hashing, types of keys,... Some kinds of attacks Viruses, worms, DoS,... And a distributed authorization and
More informationInformation Security CS 526
Information Security CS 526 Topic 23: Role Based Access Control CS526 Topic 23: RBAC 1 Readings for This Lecture RBAC96 Family R.S. Sandhu, E.J. Coyne, H.L. Feinstein, and C.E. Youman. Role-Based Access
More informationRBAC: Motivations. Users: Permissions:
Role-based access control 1 RBAC: Motivations Complexity of security administration For large number of subjects and objects, the number of authorizations can become extremely large For dynamic user population,
More informationChapter 13: Protection. Operating System Concepts Essentials 8 th Edition
Chapter 13: Protection Operating System Concepts Essentials 8 th Edition Silberschatz, Galvin and Gagne 2011 Chapter 13: Protection Goals of Protection Principles of Protection Domain of Protection Access
More informationAdvanced Access Control. Role-Based Access Control. Common Concepts. General RBAC Rules RBAC96
Advanced Access Control In many cases, identity is a bad criteria for authorization. We examine two modern paradigms for access control, which overcome this limitation: 1. Role-Based Access Control 2.
More informationGeneral Access Control Model for DAC
General Access Control Model for DAC Also includes a set of rules to modify access control matrix Owner access right Control access right The concept of a copy flag (*) Access control system commands General
More informationProtecting Information Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protecting Information Assets
Protecting Information Assets - Week 10 - Identity Management and Access Control MIS5206 Week 10 Identity Management and Access Control Presentation Schedule Test Taking Tip Quiz Identity Management and
More informationCS 392/ CS Computer Security. Nasir Memon Polytechnic University Module 7 Security Policies
CS 392/ CS 681 - Computer Security Nasir Memon Polytechnic University Module 7 Security Policies Course Logistics Security Week Questions about Midterm grading Read parts of chapters 4, 5, 6 and 7. Homework
More informationCSE Computer Security
CSE 543 - Computer Security Lecture 11 - Access Control October 10, 2006 URL: http://www.cse.psu.edu/~tjaeger/cse543-f06/ Access Control System Protection Domain What can be accessed by a process Default
More informationAccess Control. Protects against accidental and malicious threats by
Access Control 1 Access Control Access control: ensures that all direct accesses to object are authorized a scheme for mapping users to allowed actions Protection objects: system resources for which protection
More informationContent-based Management of Document Access. Control
Content-based Management of Document Access Control Edgar Weippl, Ismail Khalil Ibrahim Software Competence Center Hagenberg Hauptstr. 99, A-4232 Hagenberg, Austria {edgar.weippl, ismail.khalil-ibrahim}@scch.at
More informationChapter 14: Protection. Operating System Concepts 9 th Edition
Chapter 14: Protection Silberschatz, Galvin and Gagne 2013 Chapter 14: Protection Goals of Protection Principles of Protection Domain of Protection Access Matrix Implementation of Access Matrix Access
More informationPower Set of a set and Relations
Power Set of a set and Relations 1 Power Set (1) Definition: The power set of a set S, denoted P(S), is the set of all subsets of S. Examples Let A={a,b,c}, P(A)={,{a},{b},{c},{a,b},{b,c},{a,c},{a,b,c}}
More informationProtection. CSE473 - Spring Professor Jaeger. CSE473 Operating Systems - Spring Professor Jaeger
Protection CSE473 - Spring 2008 Professor Jaeger www.cse.psu.edu/~tjaeger/cse473-s08/ Protection Protect yourself from untrustworthy users in a common space They may try to access your resources Or modify
More informationDiscretionary Access Control (DAC)
CS 5323 Discretionary Access Control (DAC) Prof. Ravi Sandhu Executive Director and Endowed Chair Lecture 2 ravi.utsa@gmail.com www.profsandhu.com Ravi Sandhu 1 Authentication Ravi Sandhu 2 Authentication,
More informationOperating Systems Security Access Control
Authorization and access control Operating Systems Security Access Control Ozalp Babaoglu From authentication to authorization Once subjects have been authenticated, the next problem to confront is authorization
More informationBinary Relations McGraw-Hill Education
Binary Relations A binary relation R from a set A to a set B is a subset of A X B Example: Let A = {0,1,2} and B = {a,b} {(0, a), (0, b), (1,a), (2, b)} is a relation from A to B. We can also represent
More informationA Framework for Enforcing Constrained RBAC Policies
A Framework for Enforcing Constrained RBAC Policies Jason Crampton Information Security Group Royal Holloway, University of London jason.crampton@rhul.ac.uk Hemanth Khambhammettu Information Security Group
More informationAccess Control. Access control: ensures that all direct accesses to object are authorized a scheme for mapping users to allowed actions
Access Control 1 Access Control Access control: ensures that all direct accesses to object are authorized a scheme for mapping users to allowed actions Protection objects: system resources for which protection
More informationCIS433/533 - Introduction to Computer and Network Security. Access Control
CIS433/533 - Introduction to Computer and Network Security Access Control Professor Butler Winter 2011 Computer and Information Science Trusted Computing Base The trusted computing base is the infrastructure
More informationProtection Kevin Webb Swarthmore College April 19, 2018
Protection Kevin Webb Swarthmore College April 19, 2018 xkcd #1200 Before you say anything, no, I know not to leave my computer sitting out logged in to all my accounts. I have it set up so after a few
More informationSecure Architecture Principles
CS 155 Spring 2016 Secure Architecture Principles Isolation and Least Privilege Access Control Concepts Operating Systems Browser Isolation and Least Privilege Acknowledgments: Lecture slides are from
More informationCSCI 420: Mobile Application Security. Lecture 7. Prof. Adwait Nadkarni. Derived from slides by William Enck, Patrick McDaniel and Trent Jaeger
CSCI 420: Mobile Application Security Lecture 7 Prof. Adwait Nadkarni Derived from slides by William Enck, Patrick McDaniel and Trent Jaeger 1 cryptography < security Cryptography isn't the solution to
More informationLabels and Information Flow
Labels and Information Flow Robert Soulé March 21, 2007 Problem Motivation and History The military cares about information flow Everyone can read Unclassified Few can read Top Secret Problem Motivation
More informationComputer Security Operating System Security & Access Control. Dr Chris Willcocks
Computer Security Operating System Security & Access Control Dr Chris Willcocks Lecture Content Access Control ACMs ACLs Introduction to *NIX security - we ll cover this more due to server popularity -
More informationData Security and Privacy. Topic 8: Role Based Access Control
Data Security and Privacy Topic 8: Role Based Access Control Plan for this lecture CodeShield: towards personalized application whitelisting. Christopher S. Gates, Ninghui Li, Jing Chen, Robert W. Proctor:
More informationSecure Architecture Principles
CS 155 Spring 2017 Secure Architecture Principles Isolation and Least Privilege Access Control Concepts Operating Systems Browser Isolation and Least Privilege Secure Architecture Principles Isolation
More informationOperating System Security. Access control for memory Access control for files, BLP model Access control in Linux file systems (read on your own)
Operating System Security Access control for memory Access control for files, BLP model Access control in Linux file systems (read on your own) Hw1 grades out this Friday Announcement Travel: out of town
More informationData Warehouse. T rusted Application. P roject. Trusted System. T echnology. System. Trusted Network. Physical Security
T rusted Application Trusted System Trusted Network Physical Security System T echnology Data Warehouse P roject Filetransfer Access right just on the data transfer directories Mailbox L oadprocess Data
More informationCCM Lecture 14. Security Models 2: Biba, Chinese Wall, Clark Wilson
CCM 4350 Lecture 14 Security Models 2: Biba, Chinese Wall, Clark Wilson Introduction Bell-LaPadula model designed to capture a specific military security policy. At one time treated as the model of security.
More informationCS590U Access Control: Theory and Practice. Lecture 12 (February 23) Role Based Access Control
CS590U Access Control: Theory and Practice Lecture 12 (February 23) Role Based Access Control Role-Based Access Control Models. R.S. Sandhu, E.J. Coyne, H.L. Feinstein, and C.E. Youman. IEEE Computer,
More informationAccess Control. Steven M. Bellovin September 13,
Access Control Steven M. Bellovin September 13, 2016 1 Security Begins on the Host Even without a network, hosts must enforce the CIA trilogy Something on the host the operating system aided by the hardware
More informationCSE543 - Introduction to Computer and Network Security. Module: Operating System Security
CSE543 - Introduction to Computer and Network Security Module: Operating System Security Professor Trent Jaeger 1 OS Security An secure OS should provide (at least) the following mechanisms Memory protection
More informationAccess Control. Dr George Danezis
Access Control Dr George Danezis (g.danezis@ucl.ac.uk) Resources Key paper: Carl E. Landwehr: Formal Models for Computer Security. ACM Comput. Surv. 13(3): 247-278 (1981) See references to other optional
More information? Resource. Announcements. Access control. Access control in operating systems. References. u Homework Due today. Next assignment out next week
Announcements Access control John Mitchell u Homework Due today. Next assignment out next week u Graders If interested in working as grader, send email to Anupam u Projects Combine some of the project
More informationSecure Architecture Principles
Secure Architecture Principles Isolation and Least Privilege Access Control Concepts Operating Systems Browser Isolation and Least Privilege Original slides were created by Prof. John Mitchel 1 Secure
More informationAccess control. Frank Piessens KATHOLIEKE UNIVERSITEIT LEUVEN
Access control Frank Piessens (Frank.Piessens@cs.kuleuven.be) Secappdev 2013 1 Overview Introduction: Lampson s model for access control Classical User Access Control Models Discretionary Access Control
More informationData Security and Privacy. Unix Discretionary Access Control
Data Security and Privacy Unix Discretionary Access Control 1 Readings for This Lecture Wikipedia Filesystem Permissions Other readings UNIX File and Directory Permissions and Modes http://www.hccfl.edu/pollock/aunix1/filepermissions.htm
More informationAccess Control. CMPSC Spring 2012 Introduction Computer and Network Security Professor Jaeger.
Access Control CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ Access Control Describe the permissions available to computing processes
More informationIntrusion Detection Types
Intrusion Detection Continued Tom Longstaff SM Software Engineering Institute Pittsburgh PA 1521 The is sponsored by the Advanced Research Projects Agency (ARPA). The Software Engineering Institute is
More informationConflict Checking of Separation of Duty Constraints in RBAC - Implementation Experiences
xorbac Conflict Checking of Separation of Duty Constraints in RBAC - Implementation Experiences Mark Strembeck Department of Information Systems, New Media Lab Vienna University of Economics and BA, Austria
More informationAn Object-Dependent and Context Constraints-Aware Access Control Approach Based on RBAC
An Object-Dependent and Context Constraints-Aware Access Control Approach Based on RBAC Xiaoli Ren, Lu Liu and Chenggong Lv School of Economics & Management, Beihang University, Beijing 100083, P.R. China
More informationMobile and Heterogeneous databases Security. A.R. Hurson Computer Science Missouri Science & Technology
Mobile and Heterogeneous databases Security A.R. Hurson Computer Science Missouri Science & Technology 1 Note, this unit will be covered in two lectures. In case you finish it earlier, then you have the
More informationSummary. Final Week. CNT-4403: 21.April
Summary Final Week CNT-4403: 21.April.2015 1 List of Final Topics User Authentication Protocols Key Distribution and Public Key Certificates Symmetric Key Crypto Access Control Public Key Crypto Cryptographic
More informationDAC vs. MAC. Most people familiar with discretionary access control (DAC)
p. 1/1 DAC vs. MAC Most people familiar with discretionary access control (DAC) - Example: Unix user-group-other permission bits - Might set a fileprivate so only groupfriends can read it Discretionary
More informationAn Operational Semantics of Java 2 Access Control
An Operational Semantics of Java 2 Access Control Günter Karjoth IBM Research Zurich Research Laboratory gka@zurich.ibm.com Abstract Java 2 Security enhanced with the Java Authentication and Authorization
More informationCSE361 Web Security. Access Control. Nick Nikiforakis
CSE361 Web Security Access Control Nick Nikiforakis nick@cs.stonybrook.edu Access Control: introduction How do we protect our confidential data from unauthorized usage? Two important cases: An attacker
More informationOperating Systems. Week 13 Recitation: Exam 3 Preview Review of Exam 3, Spring Paul Krzyzanowski. Rutgers University.
Operating Systems Week 13 Recitation: Exam 3 Preview Review of Exam 3, Spring 2014 Paul Krzyzanowski Rutgers University Spring 2015 April 22, 2015 2015 Paul Krzyzanowski 1 Question 1 A weakness of using
More informationNetwork Security: Kerberos. Tuomas Aura
Network Security: Kerberos Tuomas Aura Kerberos authentication Outline Kerberos in Windows domains 2 Kerberos authentication 3 Kerberos Shared-key protocol for user login authentication Uses passwords
More informationCS 416: Operating Systems Design April 22, 2015
Question 1 A weakness of using NAND flash memory for use as a file system is: (a) Stored data wears out over time, requiring periodic refreshing. Operating Systems Week 13 Recitation: Exam 3 Preview Review
More informationCSE 127: Computer Security. Security Concepts. Kirill Levchenko
CSE 127: Computer Security Security Concepts Kirill Levchenko October 3, 2014 Computer Security Protection of systems against an adversary Secrecy: Can t view protected information Integrity: Can t modify
More informationPolicy vs. Mechanism. Example Reference Monitors. Reference Monitors. CSE 380 Computer Operating Systems
Policy vs. Mechanism CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms q Access control policy is a specification
More informationTPM Entities. Permanent Entities. Chapter 8. Persistent Hierarchies
Chapter 8 TPM Entities A TPM 2.0 entity is an item in the TPM that can be directly referenced with a handle. The term encompasses more than objects because the specification uses the word object to identify
More informationAttribute-Based Access Control Models
Institute for Cyber Security Attribute-Based Access Control Models Prof. Ravi Sandhu Executive Director, Institute for Cyber Security Lutcher Brown Endowed Chair in Cyber Security University of Texas at
More informationINHERITANCE PROPERTIES OF ROLE HIERARCHIES. W.A. Jansen National Institute of Standards and Technology Gaithersburg, MD 20899, USA
INHERITANCE PROPERTIES OF ROLE HIERARCHIES W.A. Jansen National Institute of Standards and Technology Gaithersburg, MD 20899, USA wjansen@nist.gov Abstract: Role Based Access Control (RBAC) refers to a
More informationRole-Evolution in Role-based Access Control System Suganthy. A * Department of Banking Technology Pondicherry University, Puducherry, India
International Journal of Emerging Research in Management &Technology Research Article July 2017 -Evolution in -based Access Control System Suganthy. A * Department of Banking Technology Pondicherry University,
More informationIdentity, Authentication and Authorization. John Slankas
Identity, Authentication and Authorization John Slankas jbslanka@ncsu.edu Identity Who or what a person or thing is; a distinct impression of a single person or thing presented to or perceived by others;
More information